Re: common features with cross-origin correlation possibility

Though we're ramping up for Defcon, so it may have to wait until I return
in in a couple weeks.


/********************************************/
Greg Norcie (norcie@cdt.org)
Staff Technologist
Center for Democracy & Technology
District of Columbia office
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt

/*******************************************/

On Thu, Jul 28, 2016 at 12:17 PM, Greg Norcie <gnorcie@cdt.org> wrote:

> I'll take a look, and if not craft some questions to make sure they're hit
> on.
>
>
> /********************************************/
> Greg Norcie (norcie@cdt.org)
> Staff Technologist
> Center for Democracy & Technology
> District of Columbia office
> (p) 202-637-9800
> PGP: http://norcie.com/pgp.txt
>
> /*******************************************/
>
> On Wed, Jul 27, 2016 at 10:32 PM, Nick Doty <npdoty@ischool.berkeley.edu>
> wrote:
>
>> Here are three common features or feature requests that have, in addition
>> to other privacy issues, potential problems with correlation across
>> origins, browsers or devices. I think we should establish guidance on these
>> points in one of our common documents so that we can point people to it.
>>
>> * Simultaneously-triggered events
>>
>> APIs that allow for subscribing to events also introduce the possibility
>> of correlating a user's activity across tabs, across origins or across
>> browsers. (I've noted this before, apologies for repetition.) I believe the
>> typical advice is to only trigger events for the front-most browsing
>> context or to fuzz the timing; given that we have typical advice, we should
>> have that written up somewhere.
>>
>>
>> * Access to sensors or device data
>>
>> The Generic Sensor API is already getting into this, I believe. Since
>> sensors typically give information about the world around the device, the
>> data is inherently cross-origin and can enable unexpected correlations.
>> Data on the device may be the same way -- in addition to the privacy issues
>> with accessing my calendar appointments or my contact database, a site can
>> also determine that I'm the same person if I share that information with
>> more than one page.
>>
>>
>> * Permanent, hardware identifiers:
>>
>> I think we should state that this is typically incompatible with the
>> Web's privacy model. Access to an unchangeable identifier or hardware key
>> means clearing cookies does not affect the capability of correlating user
>> activity.
>>
>>
>>
>> Greg, do we have these anywhere in the privacy questionnaire?
>>
>> The permanent identifiers could also be discussed in the Mitigating
>> Browser Fingerprinting doc, as we already have a section there on clearing
>> local state, but it's been noted that that might be extending beyond
>> fingerprinting, so perhaps it'll be moved to the more general privacy
>> questionnaire anyway.
>>
>> Thanks,
>> Nick
>>
>
>

Received on Friday, 29 July 2016 15:56:41 UTC